This Data Processing Agreement ("DPA") forms part of the agreement between the customer ("Controller") and ClarityBuilds Ltd ("Processor", operator of Atend) for the use of the Atend service. It governs the processing of personal data carried out by the Processor on behalf of the Controller under Art. 28 of the EU General Data Protection Regulation (GDPR).
1. Subject matter and duration
The Processor processes personal data on the Controller's instructions solely to provide the Atend time-tracking service for the duration of the agreement. On termination, Clause 8 applies.
2. Nature and purpose of processing
Automatic capture of work-activity metadata, its classification into billable time, reporting and invoicing, and account administration, as described in the Privacy Policy.
3. Categories of data subjects and personal data
- Data subjects: the Controller's users (account owners, team members).
- Personal data: account data (name, email, hashed password); activity metadata (idle/active state, foreground application name, whether a tracked agent was running, start/end times, attributed project); billing details; technical data (IP, device identifiers, logs). The Processor does not process keystrokes, screenshots, screen or document contents, browsing history, webcam, microphone, or location.
4. Controller's obligations and instructions
The Controller determines the purposes and means of processing and warrants it has a lawful basis. The Processor processes the data only on the Controller's documented instructions, which include this DPA and the configuration choices made within the service.
5. Confidentiality
The Processor ensures that persons authorised to process the personal data are bound by confidentiality.
6. Security measures (Art. 32)
- Data hosted within the European Union (Germany).
- Encryption in transit (HTTPS/TLS); the desktop agent's device credential is encrypted at rest on the user's machine.
- Per-device, ingest-scoped credentials that the Controller can revoke at any time.
- Least-privilege access, secret storage in a managed key vault, and audit logging.
- Data-minimisation by design: metadata only, never content.
7. Sub-processors
The Controller authorises the Processor to engage sub-processors. The current sub-processor isMicrosoft Azure (cloud hosting, EU region) and the Controller's chosen email provider for transactional mail. The Processor remains responsible for its sub-processors and will give notice of any intended change, allowing the Controller to object.
8. Assistance, breach notification, deletion and audits
- The Processor assists the Controller in responding to data-subject requests and in meeting its Art. 32 to 36 obligations, taking into account the nature of processing.
- The Processor notifies the Controller without undue delay after becoming aware of a personal-data breach.
- On termination, the Processor deletes or returns the personal data at the Controller's choice, save where retention is required by law. Account holders can export and delete their data self-service at any time.
- The Processor makes available the information necessary to demonstrate compliance and allows for reasonable audits.
This document is provided as a standard DPA for Atend customers. For a counter-signed copy or enterprise terms, contact info@claritybuilds.net.